a/4s/? c.e- /&&’, 


NASA Contractor Report 166050 




NASA-CR- 166050 


19830012655 


V_ 

y 


Reliability Analysis and 
Fault-Tolerant System 
Development for a Redundant 
Strapdown Inertial Measurement Unit 


Paul Motyka 

The Charles Stark Draper Laboratory, Inc. 
Cambridge, Massachusetts 02139 


Contract NAS 1-16887 
March 1983 


LIBRARY IT 7 

A D R 6 - 1983 


i-AtIGLEY RESEARCH CENTER 



NASA 

National Aeronautics and 
Space Administration 

Langley Research Center 

Hampton Virginia 23665 




NASA Contractor Report 166050 


Reliability Analysis and 
Fault-Tolerant System 
Development for a Redundant 
Strapdown Inertial Measurement Unit 


Paul Motyka 

The Charles Stark Draper Laboratory, Inc. 
Cambridge, Massachusetts 02139 


Contract NASI- 16887 
March 1983 


NASA 

National Aeronautics and 
Space Administration 

Langley Research Center 

Hampton Virginia 23665 


& 





TABLE OF CONTENTS 


Section Page 

1 INTRODUCTION 1 

2 BACKGROUND AND RESULTS OF THE PREVIOUS STUDY 3 

2.1 Sensor Configuration 3 

2.2 General Concepts of FDI 5 

2.3 Summary of the Previous Study 7 

3 RSDIMU RELIABILITY ANALYSIS 9 

3.1 Introduction 9 

3.2 Description of Procedure 10 

3.3 Summary of Equations 11 

3.4 Definition of the RSDIMU Operational States 12 

3.5 State Transition Diagrams 18 

3.6 Additional Markov Model Assumptions 

and Considerations 18 

3.7 Nominal Markov Model Parameters 20 

3.8 Results 20 

4 DERIVATION OF DYNAMIC THRESHOLDS FOR THE DUAL, 

SEPARATED RSDIMU 31 

4.1 Introduction 31 

f, 

4.2 Structural-Mode Effects 35 

4.3 Accelerometer Lever-Arm Effects 35 

4.4 Background 36 

iii 



TABLE OF CONTENTS (Continued) 


Section Pa 9 e 

4 4.5 EVT Parity Equations 38 

4.6 The Derivation of Dynamic Thresholds for the EVT.... 41 

4.7 Description of the GLT Algorithm 52 

4.8 The Derivation of Dynamic Thresholds for the GLT.... 55 

4.9 Simulation Validation and Results 56 

5 SUMMARY 59 

LIST OF REFERENCES 60 


IV 



LIST OF ACRONYMS 


BITE 

CSDL 

EVT 

FDI 

GLT 

IMU 

MTBF 

NASA 

PFA 

RSDIMU 

SDOF 

TDOF 


built-in test equipment 

The Charles Stark Draper Laboratory, Inc. 

Edge Vector Test 
failure detection and isolation 
Generalized Likelihood Test 
inertial measurement unit 
mean time between failures 

National Aeronautics and Space Administration 
Probability of False Alarm 

redundant strapdown inertial measurement unit 
single degree of freedom 
two degree of freedom 


v 



LIST OF SYMBOLS 


Ai, Bi 

b 

d 


df d 



e 


ij 


F. . 
i] 


h 

H 


m 


n 


n 

x 


»n 


»n 



two input axes of instruments, i = 1,2, 3, 4 
magnitude of bias failure (rad or m/s) 
distance from eg to sensor location with components 
d x' d y' d z (m) 

2 2 

failure decision function (rad or (m/s) ) 

tli 2 

failure isolation function for the j sensor (rad or 
(m/s) 2 ) 

edge vectors relating instruments, i ,3 = 1,2, 3, 4 

logical variables in edge vector algorithm used to detect 
and isolate failures in instruments i and j, i,j = 1,2, 3, 4 

2 2 

gravitational constant (9.8062 m/s /g (32.1725 ft/s /g) ) 
altitude (m) 

sensor configuration geometry matrix 
sensor outputs (rad or m/s) 
number of sensors or states 

longitudinal, lateral, and normal body-axes linear inertial 
accelerations (g) 

coefficients relating effect of vehicle structural modes 

• 2 

on linear accelerations, i = 1,2,..., 6 (g-s ) 


vi 



p, q, r body axes roll, pitch, yaw rates (deg/s) 

p* ,q* / r* coefficients relating effect of vehicle structural modes 

n i n i T1 - 

on angular rates, i = 1,2,..., 6 (deg) 

P single-step state-transition matrix 

P(k,£) element of matrix P designating the probability that 

state SL makes a transition to state k in a single time 
step 

PDAM probability of damage 

PFiA probability of an accelerometer failure given that i are 

in use 

PDiA(H,M, S) probability of detecting an accelerometer failure in the 

(H = hard, M = mid, S = soft) FDI channel given that i 

accelerometers are in use. 

PIiA (H,M, S) probability of isolating an accelerometer failure in the 

H, M, or S FDI channel given that i accelerometers are in 
use 

PFAiA(H,M,S) probability of an accelerometer false alarm m the H, M, 
or S FDI channel given that 1 accelerometers are in use 

PFiG probability of a gyro failure given that i are in use 

PDiG (H,M, S) probability of detecting a gyro failure in the H, M, or S 

FDI channel given that i gyros are in use 

PIiG(H,M,S) probability of isolating a gyro failure in the H, M, or S 
FDI channel given that i gyros are m use 

PFAiG (H,M,S) probability of a gyro false alarm in the H, M, or S FDI 
channel given that i gyros are in use 


edge vector algorithm parity-equation residuals for 
instruments 1 and j , i ,3 = 1,2, 3, 4 (rad or m/s) 

spin axis of instrument i, i = 1,2, 3, 4 

t time in seconds (s) 


vii 



X, y, Z 


failure-detection threshold (rad or m/s for the EVT, rad 
or (m/s) ^ for the GLT) 

time for filter to reach 90 percent of its final value (s) 

(n - 3) x n matrix of parity equations 

j*"* 1 column of V 

body axes system components 

offset of IMU from vehicle centerline (m) 

separation of IMUl, IMU2 from IMU centerline (m) 

/3 - 1 
2/3 

accelerometer input-pendulous-axes cross-coupling error 

(yg/g 2 ) 

/3 + 1 

2/3 

2 

accelerometer input-axis-squared error (yg/g ) 

1//3 

increment of quantity i 
state probability vector 
scale-factor error (ppm) 

measurement noise which is Gaussian with zero mean 
generalized bending mode coefficients , i = 1,2,.. .,6 
bias error (deg/s or yg) 
misalignment error (rad) 

GLT parity-equation residuals (rad or m/s) 

standard deviation of the instrument noise (rad or m/s) 

three-dimensional vector of body-axes inertial linear 
accelerations (g) or angular rates (deg/'s) 


viii 



B 

to. 

13 


body axes component of the output of the i 

1 .V 

or gyro along 3 axes (m/s or rad) 


Subscripts 
Ai, Bi 
a 
B 

eg 

F 

f 

ifD /k,£ 

L 


sensor input axes 
accelerometer 

structural mode effects included 
center of gravity 
presence of failed sensor 
filtered 

element number, row, and/or column 
left 


SLa 

m 

N 

R 

2 

50 


lever arm 

positive maximum or upper bound 
absence of failed sensor 
right 
2 Hz 


50 Hz 


Superscripts 


B body- axes system 

N number of time steps in a time interval 

p pendulous-axes system 

T transpose 

„ estimate 


accelerometer 


ix 



SECTION 1 


INTRODUCTION 


The material contained in this report is a result of the study of 
the Redundant Strapdown Inertial Measurement Unit (RSDIMU) being developed 
and evaluated by the NASA Langley Research Center. The work was conducted 
by The Charles Stark Draper Laboratory, Inc. (CSDL) under NASA Contract 
NASl-16887 entitled the False Alarm/Reliability Analyses for a Separated 
Dual-Fail Operational Redundant Strapdown Inertial Measurement Unit. 

It is a follow-on to a previous effort described in Reference 1. The 
goal of the initial effort was to assess the feasibility of performing 
failure detection and isolation (FDI) for the RSDIMU in an air transport 
environment, develop and evaluate FDI algorithms for the RSDIMU, and 
analyze FDI system performance. 

The present study uses the results of the previous effort as a 
basis. The RSDIMU sensor configuration, a description of some of the 
basic concepts associated with FDI and a summary of the major results of 
the previous study are presented in Section 2 to provide the reader with 
some background into the system being analyzed and concepts being evaluated. 

One of the ma^or reasons for considering the dual, separated RSDIMU 
is to improve the survivability of the aircraft when damage to the iner- 
tial measurement unit occurs, while achieving a desired level of fault 
tolerance with fewer instruments. This subject is addressed in Section 3 
where a methodology for quantitatively analyzing the reliability of re- 
dundant avionics systems in general and the dual, separated RSDIMU system 
in particular is developed and applied. A Markov model reliability 
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analysis tool is developed and applied. The results of the parametric 
study of significant instrument and FDI system variables are presented 
and discussed. 

The detection and isolation of failures of the dual, separated 
RSDIMU is accomplished by comparing a function of the sensor outputs 
with a threshold. The thresholds for a colocated cluster of instruments 
must account for the nominal sensor errors and aircraft dynamic environ- 
ment to detect the smallest possible level of failure without encounter- 
ing a prohibitive number of false alarms or the false detection of 
failures. The separation of the RSDIMU into two separated clusters 
severely complicates the selection of the thresholds. The incremental 
structural mode and accelerometer lever arm effects between the locations 
of the two instrument clusters must now be taken into account. A tech- 
nique is developed and analyzed for generating the thresholds for a dual, 
separated RSDIMU taking all of the previously mentioned factors into 
account. Special emphasis is given to the detection of multiple, non- 
concurrent failures. Section 4 contains the results. 

Section 5 summarizes the results of this study. 

Dr. P. Motyka was the project leader for CSDL while Dr. J. Lee 
developed and exercised the RSDIMU Markov model discussed in Section 3. 
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SECTION 2 


BACKGROUND AND RESULTS OF THE PREVIOUS STUDY 


2.1 Sensor Configuration 

The inertial measurement unit shown in Figure 1 is a redundant 
strap down package employing four two-degree-of- freedom (TDOF) gyros 
(accelerometers) in a semi-octahedral geometry. The instruments are 
positioned such that the spin (pendulous) axes are normal to the four 
faces of the semi-octahedron and point out. The two measurement axes 
of the gyros and accelerometers lie in the plane of the face and are 
symmetric about the face centerline. The RSDIMU consists of two separate 
packages (faces 1 and 2, faces 3 and 4) which may be spatially separated 
along a track in the lateral direction. Thus, it may be treated as two 
tetradic IMUs as indicated in Figure 2. The reason for separating the 
RSDIMU into two halves is to provide protection against damage effects 
due to lightning, structural failure, etc. The benefits of redundancy 
in the form of improved system reliability are retained by using sensor 
information from both halves of the IMU for failure detection and isola- 
tion purposes. 

The nominal geometry matrix, defining the sensor input axes 
relative to the vehicle body axes is 
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The dashed line indicates the separation of the RSDIMU into two halves. 


2.2 General Concepts of FDI 

This section is included to provide the reader with a background 
in the general concepts applied to detect and isolate sensor failures. 

It will allow a greater understanding and appreciation of the material 
presented in the following sections of the report. 

In order to detect and isolate sensor failures, a system of parity 
equations is solved. Parity equations are linear combinations of the 
sensor outputs selected to enhance the uncertainties (failures) associated 
with the sensors. Furthermore, the effects of the quantity which the 
instruments measure, i.e., the angular rates or linear accelerations, are 
removed from consideration by the parity equations. 
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Failure detection occurs as a result of comparing the parity 
equation residuals or a function of them to a threshold. If the thresh- 
old is exceeded, a failure is declared and the failure is then isolated. 
Failure isolation is accomplished using the parity equation residuals. 
Several methods are used depending upon the algorithm employed. Logical 
operations based on the residuals which exceed the threshold is one 
technique used, e.g. , a combination of residuals exceeding the thresholds 
indicates the failure of a particular sensor. Another approach involves 
the dot product of the vector of parity equation residuals with vectors 
defined by the coefficients of the parity equations to isolate a failure. 

This, m essence, is the methodology applied to detect and isolate 
sensor failures. However, complications arise when applied to a practical 
situation. For example, the parity equation residuals are ideally zero 
when a failure is not present and nonzero when a failure has occurred. 

In reality, the residuals are nonzero because of the uncertainties as- 
sociated with the sensors, i.e., the sensor errors, sensor noise, struc- 
tural mode effects, accelerometer lever-arm effects, etc. The residuals 
due to these factors dictate the level of failure which can be detected 
since they do not arise from failures and are a result of normal, although 
undesirable, sensor behavior. In a dynamic environment these uncertain- 
ties may be executed to a greater degree. To avoid the false detection 
of failures, i.e., false alarms, the thresholds may have to be compensated 
for this effect. One possible approach to handling this problem is the 
use of dynamic thresholds which are a function of the environment. Another 
is in-flight identification and compensation of the sensor error effects 
in the FDI decision process. 

Normally, unfiltered sensor data is used to detect and isolate 
sensor failures of a large magnitude since it is desired to remove their 
effects before they affect the controllability of the vehicle. Another 
factor in the design of FDI systems is that the effects of small magni- 
tude failures may be masked by the instrument uncertainty effects. Fil- 
tering of the parity equation residuals may have to be introduced into 
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the FDI system to enhance their detectability. This is at the expense of 
a longer detection time and a design tradeoff exists. The presence of 
several channels m the FDI system to detect and isolate different levels 
of failures may result. 

Two FDI algorithms have been investigated during the course of 
this study; the Edge Vector Test (EVT) and the Generalized Likelihood 
Test (GLT) . They will be defined later in the report when it becomes 
expeditious to do so. 

2. 3 Summary of the Previous Study 

As mentioned previously, this effort is a follow-on to a previous 
study. During the initial study, the feasibility of performing FDI for 
the RSDIMU m an air transport environment was demonstrated and a method- 
ology was developed for the design and evaluation of fault-tolerant 
systems. A spectrum of failure magnitudes was accounted for. The RSDIMU 
was also used for both flight control and navigation purposes during 
this study. The GLT and EVT FDI algorithms were compared with respect 
to factors such as the parity equations used, software requirements, 
failure detection and isolation capability, thresholds, etc. The GLT 
algorithm is preferred because of its technical maturity. It was also 
determined that dynamic thresholds were needed for the soft failure 
channel and an algorithm developed for generating them. 

The block diagram of the FDI system which evolved from this study 
is shown in Figure 3. This system reflects the ideas and conclusions 
addressed in the previous paragraphs and will be used as the basis for 
the technical development in the succeeding sections. 
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SENSOR DATA 



Figure 3. FDI algorithm block diagram. 
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SECTION 3 


RSDIMU RELIABILITY ANALYSIS 


3. 1 I ntroduction 

The goal of this section is to develop and apply a methodology 
for quantitatively analyzing the reliability of redundant avionics 
systems m general and the dual, separated RSDIMU system in particular. 

The need for an analytic reliability evaluation tool to evaluate 
the performance of fault-tolerant systems is clear. Evaluation of these 
systems by testing is prohibitive since their highly reliable nature 
implies a large number of test samples and/or extremely long test periods. 
In addition, the probabilistic nature of fault-tolerant systems precludes 
application of conventional analysis techniques such as covariance 
analysis. 

CSDL’s approach to this problem is to apply a Markov reliability 
evaluation model, defined m terms of the operational states of the system, 
to predict system performance through f igures-of-merit. This methodology 
has been developed and refined during the course of several technological 
development programs. It can be used to obtain quantitative data to 
support the specification and validation of requirements, architecture 
evaluation, the cross comparison of systems, design tradeoffs, and the 
efficient allocation of resources throughout the definition, design, 
and test phases of their development. The Markov model is defined in 
terms of states which represent the operational modes of the system. 

These include not only the normal mode of system operation with no failed 
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components present but the degraded modes as well which represent the 
state of system operation arrived at because of correct or incorrect 
decisions made by the redundancy management system, e.g., the detection 
and isolation of failures, false alarms, missed detections, etc. In 
this sense, the model is defined to truly represent the operation of 
the fault-tolerant system. The Markov model is used to generate the 
probability of the system being in one of the defined operational states 
after a prespecified length of time using the single-step state- transition 
probabilities. 

Different measures of system performance are obtained from the 
Markov model approach. One of the most important and widely used is the 
probability of the system becoming inoperative by the end of the mission. 
Other outputs which can be obtained are the time histories of the state 
probabilities, the state occupancy statistics, and the mean and variance 
of the time to system failure. 

3.2 Description of Procedure 

The Markov model evolves from a system block diagram outlining 
the partitioning of the system and the interconnections among the various 
system components. This block diagram is then used to define the system's 
operational states. A significant problem in developing a Markov model 
lies in determining the states that are sufficient to characterize the 
operation of the system while at the same time limiting their number 
and, hence, the order of the system for computational reasons. The 
order of the Markov model grows exponentially as a function of the number 
of states. 

The next step in the procedure is to develop single-step state- 
transition diagrams. These diagrams indicate the states that may evolve 
from a given initial state in a single step, the decisions made in 
achieving these states, and the probabilities associated with these de- 
cisions. The state-transition probabilities are then calculated from 
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the state-transition diagram and put into matrix form for Markov proba- 
bility theory application. Each element of the state-transition matrix 
is the probability of going from an initial state to another state in a 
single time step. 

The last step m the procedure involves the propagation in time 
of the system probabilities by raising the matrix of transition proba- 
bilities to a power equal to the number of time steps. Auxiliary stat- 
istical information regarding the performance of the FDI system is also 
calculated. 

3. 3 Summary of Equations 

Let P represent the single-step state-transition matrix of the 
Markov model. The element P(k,£) of P designates the probability that 
state £ makes a transition to state k in a single time step. The states 
are ordered in such a way that transitions from any state £ to any state 
k where k < £ is impossible. This is equivalent to assuming that the 
failures and FDI decisions are irreversible. P is a lower triangular 
square matrix with its dimension equal to the number of states, n. Let 
6 (t) represent the n-dimensional state probability vector for the system. 
The following relations must hold for the columns of P and for 6 (t) 

n 

Y P(k,£) = 1.0 for £ = l,...,n 

k=l 


n 

Y (t) = 1.0 for all t 

£=1 


These relations reflect the requirement that each state must undergo a 
transition to some state (perhaps itself) in each time step, and that 
the system must be in one of the n states of the model at all times. 


11 



Assuming that the probabilities which define the elements of the 
matrix P are invariant in time , the state probability vector 5 (t) at any 
time t can be computed by 


6 (t) = P N 6(0) 

where the exponent N designates the number of time steps m an interval 

N 

of length t. The matrix P is referred to as the N-step transition 

N 

probability matrix. The individual columns of P thus correspond to the 
state probability vectors 6^(t) given that the system was initialized 
to state &. 

3. 4 ‘ Definition of the RSDIMU Operational States 

The RSDIMU system block diagram, shown in Figure 4, forms the 
basis for the discussion regarding the definition of the operational 
states for the reliability model presented in Table 1. This diagram 
indicates the system components, their level of redundancy, and their 
interconnections. The manner in which the RSDIMU is separated into two 
halves is also apparent from this diagram. 

The operational states of the RSDIMU have been defined to reflect 
failures of the sensors only and the FDI system decisions made with regard 
to them. The impact of failures of the computers and additional peripheral 
equipment on system reliability has been neglected during this study. 
However, there is no reason why the reliability analysis could not be 
modified to reflect these additional components. The effects of damage 
have been considered. 

27 states have been defined for the RSDIMU Markov model. The means 
by which some of the states are arrived at is discussed to give the reader 
insight into the reasons for their being defined. The first state is 
the assumed starting condition for system operation where no sensor 
failures are present. States 2 through 25 reflect various stages of 


12 



Figure 4. RSDIMU system configuration. 

degraded RSDIMU system operation due to the effects of sensor failures 
and the FDI system decisions made during the course of system operation. 
For example. State 2 represents the condition where a sensor has failed 
but the failure has not yet been detected by the FDI system. State 3 
defines the operational mode where either the failure present in State 2 
has been detected and correctly isolated and the system reconfigured to 
remove its effects, a gyro false alarm has occurred- when the system was 
initially in State 1 and an unfailed sensor removed from operation, or 
a gyro failure occurs while m State 1 and it is detected and correctly 
isolated. 
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Table 1. Definition of RSDIMU Operational States. 


State 

Definition 

1 

4 Gyros In Use, 4 Good; 

4 Accelerometers In Use, 4 Good 

2 

4 Gyros In Use, 3 Good, 1 Failed; 

4 Accelerometers In Use, 4 Good 

3 

3 Gyros In Use, 3 Good; 

4 Accelerometers In Use, 4 Good 

4 

4 Gyros In Use, 4 Good; 

4 Accelerometers In Use, 3 Good, 1 Failed 

5 

4 Gyros In Use, 4 Good; 

3 Accelerometers In Use, 3 Good 

6 

4 Gyros In Use, 3 Good, 1 Failed; 

4 Accelerometers In Use, 3 Good, 1 Failed 

7 

4 Gyros In Use, 3 Good, 1 Failed; 

3 Accelerometers In Use, 3 Good 

8 

3 Gyros in Use, 3 Good; 

4 Accelerometers In Use, 3 Good, 1 Failed 

9 

3 Gyros In Use, 3 Good; 

3 Accelerometers In Use, 3 Good 

10 

3 Gyros in Use, 2 Good, 1 Failed; 

4 Accelerometers in Use, 4 Good 

11 

2 Gyros In Use, 2 Good; 

4 Accelerometers in Use, 4 Good 

12 

4 Gyros In Use, 4 Good; 

3 Accelerometers In Use, 2 Good, 1 Failed 

13 

4 Gyros In Use, 4 Good; 

2 Accelerometers In Use, 2 Good 

14 

3 Gyros in Use, 2 Good, 1 Failed; 


4 Accelerometers In Use, 3 Good, 1 Failed 
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Table 1. Definition of RSDIMU Operational States (cont) . 


State 

Definition 

15 

3 Gyros In Use, 2 Good, 1 Failed; 

3 Accelerometers In Use, 3 Good 

16 

2 Gyros in Use, 2 Good; 

A Accelerometers In Use, 3 Good, 1 Failed 

17 

2 Gyros In Use, 2 Good; 

3 Accelerometers In Use, 3 Good 

18 

A Gyros In Use, 3 Good, 1 Failed; 

3 Accelerometers In Use, 2 Good, 1 Failed 

19 

3 Gyros In Use, 3 Good; 

3 Accelerometers In Use, 2 Good, 1 Failed 

20 

4 Gyros In Use, 3 Good, 1 Failed; 

2 Accelerometers in Use, 2 Good 

21 

3 Gyros In Use, 3 Good; 

2 Accelerometers In Use, 2 Good 

22 

3 Gyros In Use, 2 Good, 1 Failed; 

3 Accelerometers In Use, 2 Good, 1 Failed 

23 

3 Gyros In Use, 2 Good, 1 Failed; 

2 Accelerometers In Use, 2 Good 

2 4 

2 Gyros In Use, 2 Good; 

3 Accelerometers In Use, 2 Good, 1 Failed 

25 

2 Gyros in Use, 2 Good; 

2 Accelerometers In Use, 2 Good 

26 

Same as 25, but RSDIMU damaged 

27 

Failed State 
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States 4 and 5 are similar to States 2 and 3 except that accel- 
erometer failures are present rather than gyro failures. The occurrence 
of a gyro failure when an accelerometer failure exists and vice versa 
leads to the definition of State 6 as one of the possible modes of RSDIMU 
operation. State 7 results from any one of four events; the detection 
and isolation of the accelerometer failure present in State 6, an un- 
detected gyro failure when the system is operating in State 5, or an 
accelerometer false alarm or failure which is detected and correctly 
isolated when the system is in State 2. 

The rest of the Markov model states through 25 evolve as a result 
of similar thinking as more sensor failures and FDI decisions are made 
during the course of operation of the RSDIMU system. Eventually, a mode 
of operation results for which two unfailed gyros and two unfailed 
accelerometers are available for use. This is State 25. The only other 
states that require elaboration are States 26 and 27. State 26, although 
similar to State 25, differs from it in that it arises as a result of 
damage effects to the RSDIMU. It is defined separately should it be 
desired to assess the impact of damage effects independently of the normal 
mode of system operation. The last state of the model is defined as 
the failed state, State 27, which includes modes of operation for which 
there are fewer than two unfailed gyros or two unfailed accelerometers 
available, either because of damage effects or sensor failures or the 
presence of two failed gyros or two failed accelerometers simultaneously. 

The question naturally arises concerning the definition of a 
suitable and valid f igure-of-merit for assessing the reliability perform- 
ance of the RSDIMU system. The measure selected is the probability of 
having a failure present in the system. It includes the probability of 
the system being in any one of the states listed m Table 2. This param- 
eter was chosen to assess system performance since it covers all ranges of 
FDI system performance. For example, if the FDI system is perfectly 
designed, all of the instrument failures will be detected and correctly 
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Table 2. States defining system failure. 





isolated and the probability of being m State 27 will be the measure 
of the reliability of the system. However, if the performance of the 
FDI system is poor, failures will not be detected and isolated as quickly 
or as correctly and the probability of being in the intermediate states 
will more aptly define system performance. Any system for which a failure 
is present is detrimental to achieving the goals of the system and the 
definition of the probability of having a failure present in the system 
as a figure-of-merit covers all extremes of system operation and performance. 

3.5 State Transition Diagrams 

The next step m the development of the RSDIMU Markov reliability 
model involves the generation of the state transition diagrams. These 
diagrams indicate the effects of component failures, the FDI system de- 
cisions, and the operational states which result from them given an 
initial starting state. As an example. Figure 5 shows the transitions 
out of the initial state of RSDIMU system operation for all possible 
component failures, all possible FDI decisions, and the effects of damage. 

The final state of operation which results from each of these factors 
is also indicated. The state transition diagrams also reflect the basic 
structure of the FDI system presented m Figure 3 in that three channels 
of operation have been defined to cover hard, medium, and soft failures. 

Once generated, the state transition diagrams are used to generate 
the state transition probabilities or elements of the single-step state 
transition matrix. This is done by multiplying the entries along a given 
path to obtain the conditional probability of transitioning to the end 
state in a single time step given operation in the initial state. 

3.6 Additional Markov Model Assumptions and Considerations 

The state transition probabilities for the RSDIMU reflect the 
fact that the three channels of FDI system operation are performed at 
different rates. This is done by assuming that the Markov model is run 
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Figure 5. RSDIMU state transition diagram. 

at the lowest FDI system frequency, i.e., that of the soft-failure 
channel, and modifying the probabilities associated with the hard- and mid- 
failure channels to account for the higher frequency of operation. For 
example, the accelerometer hard-failure channel probabilities are modi- 
fied as follows to reflect the fact that it operates at a frequency 
which is 25 times faster than that of the soft-failure channel. 


PD4AH 2 

= 1.0 - 

(1.0 - PD4AH 5Q ) 25 

PI4AH 2 

= 1.0 - 

25 

(1.0 - PI4AH 5Q ) 

PFA4AH 2 

= 1.0 - 

(1.0 - PFA4AH- ) 25 
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The Markov model probabilities must also reflect any effects of 
IMU separation and communication between the two halves of the system. 
Communication allows treating the dual, separated system as a single 
cluster of instruments for FDI purposes. That is, information from both 
halves can be used to detect and isolate failures. The FDI system 
thresholds must also account for separation effects. They must be 
selected to account for instrument uncertainties such as sensor errors, 
sensed structural mode effects, and accelerometer lever-arm effects, to 
avoid the detrimental effects of false alarms. The state transition 
probabilities must then reflect the FDI system probabilities which result 
from the selection of the thresholds to account for these factors. 

Another assumption that could have been made during the develop- 
ment of the Markov model for the RSDIMU but was not is that if a failure 
is not detected and/or isolated after a specified number of time steps, 
the system is m the failed state. As the present Markov model is de- 
fined, a failure can be detected and/or isolated continuously after its 
occurrence until the mission terminates. 

3. 7 Nominal Markov Model Parameters 

The nominal parameters selected for evaluating the reliability 
of the RSDIMU via the Markov model are listed m Table 3. A system with 
perfect FDI has been assumed, i.e., a probability of 1.0 for detection 
and correct failure isolation and zero probability of false alarm. The 
MTBF of the gyro is 13,333 hours and that of the accelerometers is 16,666 
hours. These numbers were obtained from Reference 2. A mission time of 
1 hour and zero probability of damage effects have been assumed. The 
nominal data rates for the three FDI system channels are also listed. 

3.8 Results 

A large number of Markov model computer runs were made to assess 

the effects of different system parameters on the reliability of the 

RSDIMU. Two baseline values of reliability were obtained. One is 
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Table 3. Markov model nominal parameters. 


Parameter 

Units 

Value 

Levels of FDI 

- 

3. 

Hard Channel Data Rate 

HZ 

50. 

Mid Channel Data Rate 

HZ 

25. 

Soft Channel Data Rate 

HZ 

2. 

Mission Time 

Hours 

1 . 

Gyro Failure Rate 

/10 6 Hours 

76. 

Accelerometer Failure Rate 

/10 6 Hours 

59. 

Probability of Failure Detection 


1.0 

Probability of Correct Failure Isolation 


1.0 

Probability of False Alarm 

- 

0.0 

Probability of Damage Effects 

- 

0.0 


-12 

2.576 x 10 which is the probability of system failure for the nominal 

Markov model parameters presented in Table 3. The other baseline value 
-4 

is 5.397 x io which is the probability of system failure with no FDI and 
redundancy management present. Thus, an eight order of magnitude improve- 
ment in RSDIMU reliability can be obtained under optimum conditions. 

Other RSDIMU reliability results are graphically presented in 
Figures 6 through 12. Figure 6 shows the effect of gyro failure rate on 
the probability of RSDIMU system failure. The results indicate that 
if the reliability of one of the instruments is much worse than that of 
the other, that instrument will govern the reliability of the RSDIMU. 
Conversely, little improvement in system reliability can be achieved by 
inproving the reliability of the more reliable instrument. 
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1 X 10 _J 1 X 10' z 1 X 10 _1 1 X 10° 1 X 10 1 1X1 

GYRO FAILURE RATE RELATIVE TO NOMINAL 

Figure 6. Probability of system failure vs. gyro failure rate. 

The effect of varying the failure rates of both the gyros and 
accelerometers together on the RSDIMU system reliability is shown in 
Figure 7. The reliability of the RSDIMU improves three orders of 
magnitude for each order of magnitude improvement in the reliability of 
the gyros and accelerometers. 

The impact of false alarms on RSDIMU reliability is indicated in 
Figure 8. Their effect is dependent upon the level of FDI system thresh- 
olds selected, thus the independent variable in this study is the level 
of thresholds relative to the instrument noise level. Per sample values 
of the probability of false alarm (PFA) can be calculated making certain 
assumptions. If the GLT method of FDI is assumed, the probability of 




PROBABILITY OF SYSTEM FAILURE 



GYRO AND ACCELEROMETER FAILURE RATES RELATIVE TO NOMINAL 

Figure 7. Probability of system failure vs. gyro and 
accelerometer failure rates. 

2 

false alarm can be calculated from an x probability density function 
with n - 3 degrees of freedom (Reference 3). The resultant values of 
PFA are presented in Table 4. The results of this study indicate that 
a threshold level of 7.5a or greater will minimize the impact of false 
alarms on RSDIMU system reliability. 

The next factor considered in the study was the probability of 
failure detection for the soft-failure FDI system channel. The results 
of the parametric study of this variable are presented in Figure 9. 

They indicate that a significant improvement in system reliability is 
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PROBABILITY OF 
SYSTEM FAILURE 



FDI SYSTEM THRESHOLDS RELATIVE TO 
INSTRUMENT NOISE LEVEL (a) 


Figure 8. Probability of system failure vs. FDI 
system threholds 
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Table 4. Probability of false alarm for the 

RSDIMU Markov model reliability study. 


Threshold 

Number of Instruments 

(o) 

4 

3 

2 

6 

9.50 x io -7 

7.49 x io” 8 

1.97 x io" 9 

7 

2.22 x io" 9 

1.30 x 10 -1 ° 

2.56 x 10" 12 

7.5 

7.08 x io" 11 

-12 

3.16 x 10 

-14 

7.08 x 10 

8 

1.81 x lo“ 12 

8.21 x 10 -14 

1.25 x 10‘ 15 


achieved by incorporating some fault tolerance into the RSDIMU system. 

On the other hand, the achievement of the maximum improvement in system 
reliability requires the detection of virtually all failures encountered. 
Multiple FDI channels can help significantly in this regard because if a 
failure is not detected by one channel, it is a virtual certainty that 
it will be detected by the channel in the hierarchy with the next smallest 
thresholds. Typical values of the probability of detection, including 
self- test, run in the vicinity of 0.8 to 0.9. 

The previous results apply to the soft-failure channel. Param- 
etric studies were also made of the mid-failure channel probability of 
detection with the soft-failure channel probability of detection equal 
to 1.0 because of the lower thresholds, and similarly for the hard-failure 
channel. These results coincided with the value for the baseline case 
with perfect FDI for all cases. This conclusion is a consequence of 
the fact that a failure can be detected from its occurrence until the 
end of the mission. If enough samples are taken, the probability of 
detecting the failure will eventually reach unity and perfect FDI will 
be achieved. 

Figure 10 presents the effect of the probability of correct isola- 
tion for the soft-failure channel on RSDIMU system reliability. The 
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PROBABILITY OF SYSTEM FAILURE 



Figure 9. Probability of system failure vs. probability of 

failure detection for a single FDI system channel. 
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PROBABILITY OF SYSTEM FAILURE 



Figure 10. Probability of system failure vs. probability of 

correct isolation for a single FDI system channel. 
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PROBABILITY OF SYSTEM FAILURE 


results indicate that correct failure isolation is a must to obtain the 
maximum improvement in system reliability. Otherwise, an instrument 
failure is present which is defined as a system failure. 

The probability of damage is addressed in Figure 11. On the aver- 
age, an improvement of three orders of magnitude in system reliability 
for a one-hour mission is achieved because of the separation of the IMU 
into two units . 



Figure 11. Probability of system failure vs. probability of 
damage for a separated IMU system. 

Mission time and its effect on RSDIMU reliability was another 
parameter investigated. The results are presented in Figure 12. For 
realistic values of the probability of detection for a single FDI system 
channel, system reliability appears to be virtually independent of mis- 
sion time in contrast to a system with perfect FDI. 




MISSION TIME (hours) 

Figure 12. Probability of system failure vs. mission time. 

The last effort undertaken in this area was to blend all of the 

results generated thus far to come up with an estimate of the reliability 

of a typical operational RSDIMU system. To do this, a gyro failure rate 
0 

of 400/10 hours (MTBF of 2000 hours) and an accelerometer failure rate 
0 

of 333/10 hours (MTBF of 3000 hours) were selected. These values were 
obtained from discussions with CSDL's Reliability and Quality Assurance 
Department. The thresholds were selected to be at 7.5o and the proba- 
bility of damage effects was assumed to be zero. A probability of soft- 
failure channel detection of 0.8 and a probability of correct soft-failure 
channel isolation of 0.99 were chosen. Use of these parameters resulted 

-7 

in a probability of system failures of 4.27 x 10 which is three orders 
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of magnitude better than that of the system with no FDI and redundancy 
management. This number is dictated by the probability of failure detection. 
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SECTION 4 


DERIVATION OF DYNAMIC THRESHOLDS 
FOR THE DUAL, SEPARATED RSDIMU 


4. 1 Introduction 

Reference 1 shows that some form of sensor uncertainty compensa- 
tion is needed to detect soft failures with the RSDIMU system. The 
basic problem is that a dynamic flight environment excites the sensor 
uncertainties to a greater extent than during cruise. Therefore, if it 
is desired to detect as small a failure as possible when the vehicle is 
not maneuvering without encountering a prohibitive number of false alarms 
when the vehicle maneuvers, the environment must be compensated for in 
some fashion. 

Dynamic thresholds were suggested as a solution to this problem 
during the previous CSDL program for NASA and a means for generating 
them developed. The work was restricted to the case where both halves 
of the RSDIMU are colocated. The thresholds consist of a constant and a 
dynamic portion. The constant accounts for high frequency effects such 
as quantization and sensor noise. The dynamic portion accounts for 
the effects of maneuvering flight on the sensor errors. 

A block diagram depicting the method used to generate the dynamic 
thresholds is shown in Figure 13. The overall idea embodied in this 
methodology is to parallel the development of the failure decision func- 
tion using an analytic expression for the worst-case sensor error. In 
Figure 13 the top path is one channel of the FDI system block diagram 
presented in Figure 3. The lower path describes the generation of the 
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Figure 13. Generation of dynamic thresholds. 

thresholds. The last values of the vehicle accelerations and rates ob- 
tained from the sensor outputs are filtered in the same way as the parity 
equation residuals. These quantities are then used to generate an upper 
bound for the parity equation residuals from an analytic expression. 

The threshold function is then generated in a manner corresponding to 
that in which the decision function is generated. The failure decision 
function and threshold are then compared to determine if a failure has 
occurred. 

The concept of dynamic thresholds was evaluated via simulation 
to assess its feasibility, evaluate its effectiveness, and uncover any 
problems in applying it. A block diagram of the simulation used is shown 
in Figure 14. The core of the simulation is a six-degree-of-freedom air- 
craft model with nonlinear aerodynamics. Also modeled are a flight- 
control system and turbulence. An autopilot "commands" the vehicle to 
follow a desired trajectory profile. Skewed gyro and accelerometer 
sensor configurations are modeled with the location of the sensors variable 
to permit an assessment of accelerometer lever-arm effects. The sensors 
are assumed to be of navigation quality and used for navigation and 
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Figure 14. Simulation block diagram. 

flight-control purposes. The FDI algorithm operates on the sensor data 
to generate the input signals to the flight-control and navigation sys- 
tems. Navigation accuracy is assessed by differencing the outputs of a 
strapdown local-vertical-wander-azimuth navigation system model and the 
vehicle states. 

Figure 15 shows the 1-hour flight profile used to evaluate the 
fault- tolerant system during the dynamic phases of the vehicle flight. 
The profile includes features from a typical transport aircraft mission 
profile: a climb to altitude, cruise, heading changes, descent, and a 

loiter maneuver. 
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Figure 15. Evaluation trajectory profile. 

The present program is concerned with the development and evalua- 
tion of an analytic technique for the generation of FDI thresholds for 
an aircraft system with dual, separated IMUs. The intent is to use all 
available instruments of both IMUs to detect and isolate sensor failures. 
The separation of the IMUs hinders failure detection and isolation, 
since the raw structural-mode and accelerometer lever-arm effects which 
the instruments sense are comparable in magnitude to the failures which 
may be encountered and can result in the false detection of failures if 
not properly accounted for. The selection of thresholds, a ma;jor con- 
sideration in the development of any FDI system, is especially complicated 
when separated, communicating IMUs are present, since these additional 
factors must be taken into account. A spectrum of failure magnitudes 
from hard through soft is considered. Finally, aircraft maneuvering adds 
a significant dimension to the problem and dictates the need for variable 
failure-detection thresholds to prevent the occurrence of false alarms. 
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4.2 


Structural-Mode Effects 


Each structural mode can be represented by a second-order dif- 
ferential equation with additional terms which, in general, couple in 
the basic rigid-body airframe response, the other modes, and the control- 
surface deflections. The effect of the structural modes on the angular 
rates and linear accelerations is a function of sensor location and is 
indicated by the following equations 


P B - p + «p b - p + p; 4 " 4 + p^" 5 + p; 6 1 6 


• • • 

q = q + 6a = q + q* n + q* n + q* Ti 
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n =n+6n =n+n n, + n n„+n n (1) 
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4. 3 Accelerometer Lever- Arm Effects 

The linear accelerations measured at a distance d meters from 
the eg of the vehicle (in terms of the linear accelerations at the eg 
of the vehicle and the accelerometer lever-arm effects) are defined by 
the following equations 
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4.4 Background 

The detection and isolation of the first two sensor failures and 
the detection of the third are required for the RSDIMU. Dynamic FDI sys- 
tem thresholds require an estimate of the incremental structural mode and 
accelerometer lever-arm effects between the locations of the two halves 
of the RSDIMU. References 4 and 5 describe a technique for generating these 
quantities which is satisfactory for the detection and isolation of the 
first sensor failure when the instruments are implemented in dual separated 
clusters. It uses the differences of the least-square estimates of the 
body-axes rates or acceleration from each half of the RSDIMU. This ap- 
proach is valid only for the first failure because reconfiguration will 
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then leave only one instrument in one of the halves of the RSDIMU. The 
major contribution contained in this section of the report is the de- 
velopment of a technique for generating the incremental structural mode 
and accelerometer lever-arm effects which is valid for multiple, nonconcur- 
rent instrument failures. 

A concept for the least-square estimation of the structural mode 
and lever-arm effects which evolves from that presented in References 4 
and 5 and which is applicable to multiple, nonconcurrent failures has 
been developed by Mr. F. Morrell of the NASA Langley Research Center. 

It uses least square estimates of all combinations of two valid instruments 
to obtain the desired information. Furthermore, it is rather simple in 
that the computation of only one component of the body axes rates or 
accelerations is required from the estimates obtained for each pair of 
sensors. 

This section of the report describes a different approach to the 
problem using what is called a sensor-error estimation approach. Basic- 
ally, the approach is to compute the least-square estimates of the body- 
axes rates or accelerations using one of the RSDIMU halves with unfailed 
instruments. Estimates of the instrument outputs for the other half of 
the RSDIMU are computed using the estimated body axes quantities and the 
nominal sensor geometry matrix. The actual and estimated sensor outputs 
are then differenced to produce estimates of the sensor uncertainties. 
Estimates of the structural mode and lever-arm effects are then generated 
by resolving the estimated sensor uncertainties through the FDI system 
parity equations. The absolute value of these estimated structural mode 
and lever-arm effects is then used as the worst case estimate for the 
thresholds. 

The technique just described is derived for the EVT algorithm 
initially and later extended to the GLT. The accelerometers are considered 
rather than the gyros since both structural-mode and lever-arm effects must 
be considered. It is also assumed that filtering is present m the FDI 
channel being considered to indicate how this aspect of the system is 
treated. 
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4.5 EVT Parity Equations 


The EVT parity equations are presented in this section. A complete 
derivation is included in Reference 1. The formulation is based on the 
projection of rates or accelerations measured in two planes along the 
line of intersection of the planes. As the measurement planes are ortho- 
gonal to the spin or pendulous axes, the "edge vectors" are defined by 
the line mutually perpendicular to these axes. They are the vectors, e^, 
defined in Figure 1. Rates or accelerations measured in the l and 3 
planes may be compared if they are expressed in a common frame. The 
frame chosen here is the body frame. Then the residual R^ may be expressed 
by 


R . 
ID 


, B B, 

(oi - Oi ) 
1 D 


B 

e. 

ID 


If | R i . | > T, an FDI threshold, then a miscompare flag, F ^ , is set. 

FDI consists of logical operations on the flags F^. 

For the case under consideration, the accelerometer inputs are de 
fined by the matrix equation 
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where 
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The edge vector parity equations are 
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where the body axes accelerations for each instrument are 
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Combining the last two sets of equations results in the parity 
equations 
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4.6 The Derivation of Dynamic Thresholds for the EVT 

The basic approach is to start with an analytic expression for 
the sensor error, structural-mode, and lever-arm effects and obtain ex- 
pressions for the parity-equation residuals. Upper bounds for the 
parity-equation residuals are then determined. The FDI system threshold 
is generated by duplicating the steps involved in the computation of 
the failure-decision function using the upper bounds for the parity- 
equation residuals rather than the actual residuals. 
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It is necessary to write expressions for the linear accelera- 
tions at one IMU location in terms of those at the others. Using the 
right half of the RSDIMU as a reference and Eq. (1) and (2) leads to 
the following results 


n 


n + 6n 
X R 


n + 6n - 6n 
X R x Za X la 

Xj k 


n + 6n 
^R 


n + <5n - 6n + 6n - <5n 

y * y ‘* L y ** E \ \ 


n + 6n 
Z R 


n + 6n - 6n + 6n - 6n 

*» X X \ \ 


■4“ 

The output of the j accelerometer of the right IMU can be 
written as 
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6m is a term representing the sensor errors. The sensor models assumed 
a . 

3 

for this study, described m detail in Reference 1, result in 
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A similar expression is obtained for the output of the k accelerometer 
of the left IMU using the appropriate accelerations. Use of the equa- 
tions for the accelerations measured by the left half of the RSDIMU in 
terms of those of the right half leads to 
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Calculating the residuals from Eq. ( 3 ) results in 
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Several observations can be made from a consideration of the 
previous equations. First, the parity equation residuals are a function 
only of the uncertainties associated with the instruments. The parity 
equations remove the effects of the measured variables, i.e., accelera- 
tions or rates. Second, the parity equation residuals for the IMUs 
where the instruments are colocated, i.e., R ^ 2 and 1 * 34 ' are not affected 
by the separation effects due to lever arms, bending and vibration as are 
the other parity equation residuals. If the left IMU is used as a 
reference, the same expressions for the residuals result with the excep- 
tion that the signs of the 6 n , 6 n , and 6 n terms are reversed. 

x y z 

A set of dynamic thresholds can be obtained by determining an 
upper bound for each of the residuals. Performing a worst case analysis 
leads to 
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6m is an analytic expression for the upper bound of the sensor 
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error effects. This expression is solved in real time using the fol- 
lowing equation 
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6m is obtained from Eq. (5) by assuming worst case conditions: 

the magnitude of H^, H_. 2 , an ^ H j 2 1S ^ ess t* 1311 or equal to 0.788675, 

and the sensor errors are additive and bounded by their 3a values. Use 

is also made of the fact that = 0.577350. This is significant since 

the steady-state value of the maximum parity-equation residual governs 

the value of the soft failure detected with the FDI system. This steady- 

state value is governed by the instrument bias and the effect of the 1-g 

normal acceleration obtained during straight and level flight on the 

other sensor errors. This latter effect is influenced by the magnitude 

of H . _ . Thus, the use of the coefficient H _ = 0.577350 will result in a 
3 3 33 

lower threshold and the ability to detect smaller failures. 


In the same manner, the angle of the accelerometer pendulous axis 
with respect to the x-y plane of the vehicle affects the level of soft 

P 

failure detected through H and the input-pendulous- axes coupling error. 

3 3 p 

For this study, the accelerometers are mounted such that H = 0.577350, 

3 3 

i.e., at the same angle with respect to the x-y plane as the input axes 
of the instruments. 


R^ 3 , R^ , R 23 , and R each contain a term which reflects the 
m m m m 

incremental value of the separation effects between the two IMU locations. 

If three or more independent measurements are available at each IMU loca- 
tion, the required quantitites can be obtained by generating a least-squares 

solution for n , n , and n at each IMU location and differencing like 
x y z 

quantities. This approach falls apart after the first failure is de- 
tected and isolated since one instrument is analytically removed from 
the system. Therefore, a least-squares solution can be obtained for 
only one IMU. 

A technique has been developed for generating the incremental 
separation effects which overcomes the deficiencies of the approach de- 
scribed in the previous paragraph. The least-squares solution of only 
one of the IMUs is required. Assume for the purposes of discussion that 
the right IMU is selected as the reference. This is a minor restriction 
which will be removed later. A least-squares solution can be obtained 
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and 


for the right IMU resulting in the estimated quantites n , n , 

X R y R 

n . An estimate of the separation effects on the instruments of the 
Z R 

left IMU can be obtained by using n , n , and n to generate an 

y_ 

R J R R 

estimate of the measurements of the left IMU and subtracting them from 
the actual measurements. For example 



an 


- Bn + yn 


6m = m - m 
a Al a Al a Al 


= o(n “ n ) - B(n - » > + yin - n ) 

L R y L y R L R 


= a6n - B fin + y6n 
x y z 


(9) 


Following this procedure leads to 


6m = -B<$n + a6n + y6u 

a Bl x y z 


6m 


A2 


B6n + a6n + y6n 
x y ' z 


6m 


B2 


-a6n - B6n + v6n 
x y 1 z 


( 10 ) 
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Since the right IMU is the reference 



0 



= 0 


6m 

a A4 


= 0 


6m =0 (11) 

cl A 

B4 

Consider the parity equation R^. An Y uncertainty in the measure- 
ments from instruments 1 and 3 is reflected in R^ according to the 
equation 


6Ri 3 = - 


1 _ 

a 


6m - 6m 
a Al 


+ 6m - 6m 
a Bl a A3 a B3 


( 12 ) 


Substituting Eq. (9), (10), and (11) into Eq. (12) leads to 


6R- = — [6n - 6n ] 

13 a x y 


which is an estimate of the quantity needed for the threshold. 

Thus, the procedure for generating an estimate of the effects of 
the IMU separation for the thresholds is to generate a least-squares 
solution for the accelerations of one of the IMUs of the system. These 
estimates are then used to form an estimate of the measurements of the 
other IMU. The estimated measurements are subtracted from the true 
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measurements to obtain the estimated effects of the separation on the 
measurements. The quantities needed for the thresholds are then obtained 
by resolving these uncertainties through the parity equations. The 
absolute value of the solution is used for the thresholds. 

Several additional items regarding the thresholds should be 
pointed out at this time. One is that the last value of the linear ac- 
celerations (generated for the flight-control system from the sensor 
signals) can be used to generate the thresholds. Using these signals 
results in thresholds which reflect the current state of the aircraft 
and its environment. 

The effect of the filtering present in the mid- and soft-failure 
channels on the generation of the thresholds is now considered. In 
order to make a valid comparison between the residuals and thresholds, 
it is necessary to filter each in an identical fashion. It is prefer- 
able to filter the quantities required for the thresholds before the 
maximization and absolute values are generated. This results in a 
reduced level of noise which is not subject to maximization and leads 
to lower, more realistic thresholds. 

The subscript f in Eq. (7) and (8) indicates where the filtering 

should occur in the generation of the thresholds. When n , n , and n 

x y z 

linearly affect the parity-equation residuals, it is possible to inter- 
change the operations of addition and multiplication by a constant and 
filtering. It is not valid to do this with the nonlinear, input-axes- 
squared, and input-pendulous-axes-coupling errors, however. The non- 
linear quantity must be formed and then filtered. 

A development corresponding to the one undertaken with the right 
IMU as the reference can be generated using the left IMU as the reference. 
The same expressions for the thresholds as presented in Eq. (7) are ob- 
tained. For this case 


A A A A 

6m = 6m = 6m = 6m =0.0 
a Al a Bl a A2 a B2 
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Nonzero estimates for the separation effects on instruments 3 and 4 
result which are 


A A 


6m = -a6n + 3<5n + y&n 


A3 


x y z 


A , A 


6m = 36n - a6n + y&n 


B3 


x y z 


A A 


6m = ~36n - a6n + 


A4 


x y z 


, A A 


6m = a6n + 36n + y6n 

a„ . x y z 

B4 J 


The effects of these quantities on the residuals are of the same magnitude 
but opposite in sign to those obtained previously. Thus the same thresh- 
olds result. 

It is necessary to examine the effect of failures on the thresh- 
olds. The statistics of the parity equation residuals change to reflect 
the presence of a failure, e.g., the mean changes due to a bias failure. 

If one of the instruments of the reference IMU fails, the least-square 
estimate of the accelerations or rates will change to reflect the presence 
of this failure. This failure will in turn affect the thresholds via the 
terms generated to account for the separation effects. Similarly if 
the failure occurs in one of the instruments not in the reference IMU, 
the instrument output used to generate the separation effects will reflect 
the failure and result in a change in the threshold. As things presently 
stand, both the residuals and thresholds change due to a failure and 
detection and isolation is not possible. Modifications must be made 
to the FDI algorithm to eliminate this deficiency. 
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The technique employed is to pass the estimated separation ef- 
fects through washout filters before taking the absolute value for the 
thresholds. These filters have the effect of attenuating the low- 
frequency data of the signals while passing the high-frequency data intact. 
Washout filtering removes the effect of the instrument biases and bias 
failures from the separation effects so that the thresholds return to 
their prefailure values. The parity equation residuals change to reflect 
the effect of the failures and failure detection and isolation occurs 
when the thresholds are exceeded. 

The approach defined in the previous paragraph will also work 
properly for nonbias-type failures. The washout filter has a differen- 
tiating effect on the separation effects so that the residuals change 
as a function of the integral of the effect on the thresholds. For 
example, consider a ramp failure. The residuals will change linearly 
with time while the thresholds will change by a constant amount. 

It is not necessary to washout filter the portion of the FDI 
thresholds due to the sensor errors. This is true since any error 
effect in the least-squares estimate of the accelerations is modified 
by the 3a value of a sensor error which reduces its effect to second 
order. 

The FDI algorithm just developed offers several possibilities 
for implementation. The most conservative approach but also the most 
demanding in terms of computational requirements would involve the 
implementation of two identical FDI algorithms, one using each IMU as 
a reference. This scheme affords dual detection capability for the 
first failure, a feature which would lower the false alarm rate. The 
algorithm associated with the IMU containing unfailed instruments 
could then be used for the detection and isolation of the second and 
third failures. 
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The FDI algorithm proposed accounts for factors such as the de- 
tection and isolation of soft instrument failures, the effects of vehicle 
dynamics, and IMU separation. It is valid as long as the basic assump- 
tions upon which the thresholds are derived are valid. One instance 
where this may not be true is when saturation-type failures occur for 
which the instrument outputs do not contain information about the 
separation effects. If the failure is large enough, it will be detected 
and isolated via the hard- failure channel and the system reconfigured 
to eliminate its effect before the instrument output is used. The 
shorting of an instrument output is an example of this type of fail- 
ure. It is equivalent to a failure of a large magnitude and is 
detected via the hard-failure channel on the first subsequent pass of 
the FDI algorithm. Built-in test equipment (BITE) would also be 
valuable in detecting and isolating failures of this nature and should 
be an integral part of the final FDI system. 

4.7 Description of the GLT Algorithm 

The GLT algorithm is briefly described in this section. Consider 
first the hard-failure channel. In the absence of sensor failures, the 
measurement equation is 


m = Hco + 5 

A set of parity equations is defined by 

p = Vm 


(13) 


(14) 


where 

VH = 0 

V is assumed to be of dimension (n - 3) x n. The matrix V can be chosen 
so that 
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I 


w 


T 


Substituting Eq. (13) into Eq. (14) yields 


P 


N 


VC 


In the absence of sensor failures, depends only on the measurement 
noise. If sensor 3 experiences a bias-type failure and that failure 
is manifest as an apparent bias shift of magnitude b m measurement 3 , 
then 


P F = VC + V b 


The difference in the statistics of p„ (in the absence of failures) and 

N 

p (in the presence of failures) provides a basis for detecting and iso- 
lating failures. The problems of detecting and isolating sensor failures 
fall within the general framework of composite hypothesis tests, since 
the sign as well as the magnitude of the bias failure is unknown a prion. 

A GLT formation of the detection and isolation problems has been 
developed. Assume single-axis failures initially. The GLT decision 
functions for detection and isolation are 


DF D 


T 
P P 



(15) 


These decision functions are strictly functions of the parity-equation 
residuals, p. The detection decision is made by comparing DF^ (which is 
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the sum of the squares of the parity-equation residuals) to a detection 

threshold. A sensor failure results in a change in the mean value of a 

sensor output, the parity-equation residuals, and the failure-detection 

function. The isolation decision is then made by determining max (DF ). 

3 


The value of 3 that maximizes DF identifies the sensor that is most 
likely to have failed. 


The preceding discussion assumes a set of n SDOF instruments. 

The extension to TDOF sensors requires certain modifications to reflect 
the characteristics of these instruments. Correlation between the noise 
present in the two measurements derived from a TDOF sensor is possible. 

One approach is to assume no correlation, design the FDI algorithms 
accordingly, and examine the degradation of FDI performance which oc- 
curs due to the presence of the nonzero values of correlation. This 
approach leads to the simplest algorithms and is preferred when the per- 
formance penalty incurred for nonzero values of correlation is accept- 
ably small. In this case, the detection problem formulation is not changed, 
and the appropriate decision function is given by Eq. (15) . 


In formulating the isolation problem, another characteristic of 
TDOF sensors must be considered. A TDOF sensor failure may be reflected 
in either or both of its measurement axes. In practice, a failure ob- 
served in either axis is sufficient to disqualify the data from both of 
the sensor axes. Thus, isolation of a failed sensor rather than of a 
failed axis is sufficient. The isolation problem then involves testing 
only n/2 hypotheses. The GLT decision function for isolation which 
corresponds to Eq. (15) is 



T T -1 T 
p V (VTV ) V p 
3 3 3 3 


3 - 1 , 2 ,..., n/2 


where V_^ = [V^j anc ^ V 2j-l ,V 2] are two co ^ umns °f the V 

matrix associated with TDOF sensor j. 
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The detection and isolation of the mid and soft failures is ac- 
complished using the same decision functions as for the hard-failure 
channel. The only exception is that the appropriately filtered parity- 
equation residuals are used in lieu of the unfiltered ones. 

4.8 The Derivation of Dynamic Thresholds for the GLT 

The same general approach used to generate the dynamic thresholds 
in the case of the EVT applies to the GLT. Assume that the right half 
of the RSDIMU is the reference. Substituting Eq. (4) and (6) into the 
parity equations results in the following residuals 


e i - X>ij ‘EW. + H k2 6n y + I W n z ) 

1 3 k 

i = 1,2 , . . . ,n-3; j = Al,Bl, . . . , A4 ,B4; k = Al,Bl,A2,B2 

(16) 

This expression results since VH = 0. It consists of two terms. The 
firsc results from the sensor errors and the second from the incremental 
structural mode and lever-arm effects between the locations of the two 
halves of the RSDIMU. 

An upper bound for Eq. (16) is 


P ± = ElvJ S" + E V\l Sn x + \ 2 % + \3 Sn z> 1 

m \j J / m k 

i = l,2,...,n-3; j = Al,Bl, . . . , A4,B4; k = Al,Bl,A2,B2 

(17) 


The dynamic threshold is then obtained by summing the squares of the 
upper bound for each parity equation, i.e., duplicating the generation 
of the decision function. The resulting expression is 
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T 


(18) 


n-3 


= E (p x )' 

i=l m 


In order to calculate the FDI system thresholds, Eq. (18), and 

hence Eq. (17), must be calculated in real time. Consider the first 

term of Eq. (17). The V ,'s are known and 6m is the upper bound for 

ii a 

J m 

the sensor errors given by Eq. (8). The only terms that have to be 
determined are the incremental effects of the structural modes and lever 
arms, i.e., the ( H kl ^ n x + H^Sn + H k3 6n z ) terms. They may be generated 
by using the sensor error estimation approach described for the EVT. 

The derivation of Eq. (9) , (10) , and (11) demonstrate the method. 

Many comments were made during the development of the dynamic 
thresholds for the EVT approach regarding their implementation, the 
low-pass filtering and washout filter, for example. All of these com- 
ments apply to the GLT approach as well but are not repeated here for 
brevity. 

4.9 Simulation Validation and Results 

Both the least-square and sensor-error techniques for estimating 
the structural-mode and lever-arm effects have been programmed into the 
CSDL simulation described in Section 4.1 to validate the concepts and 
uncover any additional problems which may exist with regard to their 
implementation . 

An example of the results obtained is shown in Figure 16 and 
Table 5. These results were obtained using the GLT algorithm with three 
soft accelerometer failures introduced into the aircraft system flying 
the trajectory presented in Figure 15. Table 5 indicates when the failures 
were introduced, their magnitudes, the failed axis and the time at which 
the failures were detected. The time histories presented in Figure 16 
show the hard-, mid-, and soft-failure decisions functions obtained during 
the one-hour flight and the soft-failure channel threshold implemented 
via Eq. (18). Consider first the failure decision functions. The 
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Figure 16. 
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Accelerometer FDI system decision functions and 
soft-channel threshold decision functions. 
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Table 5. Simulation example data. 


Time of Failure 
Input 

Magnitude of 
Failure 

Axis 

Detection Time 

sec 



sec 

617 

3000 

B2 

633.48 

1100 

3000 

B3 

1113.98 

2200 

4000 

B4 

2209.98 
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hard-failure channel decision function response is characterized by 

2 

quantization noise. Its magnitude of (7770 yg) set a lower bound on 
the magnitude of failure which can be detected reliably with this channel 
without false alarms. The effect of low-pass filtering to enhance the 
detectability of smaller failures is evident from the mid- and soft- 
failure channel decision functions. The effect of the three failures is 
clearly evident in the soft-failure channel decision function. The 
first two spikes are caused by the introduction of the first two failures 
into the system and the elimination of their effects by reconfiguration. 
The third failure is evident as a step response in the soft-failure de- 
cision function since the failure can only be detected and not isolated. 
The effect of vehicle maneuvers are also evident, e.g., the spikes super- 
imposed on the step effect due to the third failure. These are caused 
by the loiter maneuver. 

The soft-failure channel threshold is also shown in Figure 16. 

An initial engage transient is present in this response along with spikes 
due to the first two sensor failures. The washout filter in the thresh- 
old generation algorithm causes the thresholds to return to their pre- 
failure values, resulting in failure detection. After each of the first 
two failures are detected and the system reconfigured, a lower threshold 
results since fewer parity equations are required for detection and isola- 
tion. With the detection of the third failure, the thresholds are set to 
zero in the algorithm. Maneuver effects are also evident in the threshold. 

The results of the simulation tend to confirm the validity of the 
sensor-error and least-square estimation techniques for generating es- 
timates of the incremental structural mode and lever-arm effects for dy- 
namic thresholds. Multiple, nonconcurrent failures have been detected 
and isolated using both concepts. However, it is cautioned that only a 
limited number of evaluations have been made and further refinements to 
the algorithm may result from more extensive testing. 
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SECTION 5 


SUMMARY 


Two major goals were achieved during the course of this program. 
The first was the development and application of a technique for quan- 
titatively evaluating the reliability of the RSDIMU. A detailed de- 
velopment of the Markov model generated for this purpose was presented. 
The results of the study of the impact of pertinent system parameters 
on the reliability of the RSDIMU were discussed. Many significant 
conclusions were drawn from these results. For example, the impact 
of false alarms on system reliability was one of those discussed in 
Section 3.1. 

The second major goal achieved during this program was the de- 
velopment of an algorithm for generating dynamic thresholds for the dual, 
separated RSDIMU which is valid for the detection of multiple, noncon- 
current failures. It takes into account the incremental effects of the 
structural modes and accelerometer lever arms between the two sensor 
locations which are a significant factor. A technique called the 
sensor-error method of estimating these quantities was presented. In 
addition to an analytic development of this algorithm, the results of 
its evaluation via simulation are presented and discussed. 
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